Beruflich Dokumente
Kultur Dokumente
management
Approaches to security and compliance
in the finance industry
Contents
Introduction 3
Methodology 4
Summary 5
Main Findings 6
Significant issues 6
Biggest challenges 7
Global vs. local control 8
Number of suppliers 8
Benefits of a single management point 8
Email interaction with customers 9
Cost of message management 10
Governance and compliance 12
Conclusion 14
Contacts 15
Email is now the foundation of business communication, replacing paper and voice
as the most critical single element of the corporate communications infrastructure.
Recent years have seen an exponential growth in the amount of information flowing
through electronic communication channels.
Email and other electronic messaging, such as instant messaging (IM) and text
messaging (SMS), are now considered a viable medium for taking orders, sending
approvals and contracts, and discussing sensitive financial issues. As financial
services organisations open up their networks to clients and partners, they are being
forced to take the threat of spam, virus and denial of service attacks seriously to
avoid any disruption to their business. In the wake of complex corporate failures such
as Enron, WorldCom and Parmalat, they are also coming under increasing pressure
from regulators to maintain archives of all communications.
But how are large organisations managing these challenges? This was the overall
question set by this survey, conducted by MORI on behalf of BT, which sought clear
and unbiased feedback from leading financial services companies across the UK,
US and Europe.
Firstly, the survey established the profile of the interviewees, ensuring that respondents
had responsibility for contributing to strategic decisions about message management.
Respondents tended to be from large organisations, with 25 per cent claiming more
than 15,000 employees worldwide. These include names such as AIG, Barclays Bank,
Société Générale and Swiss Life.
Major challenges
The survey considered the major issues in email message management that
organisations face today, and asked them to predict how the cost and significance
of these issues will change in the coming years. It then sought to discover how the
message management infrastructure is currently organised, and identify areas where
respondents thought this could be improved to meet future needs.
In particular, the survey examined the major challenges around security and
compliance, and sought to identify where organisations’ priorities lie in terms of
budget growth and allocation. The link between security and compliance was also
examined, in addition to organisations’ readiness to meet requests from regulators
for access to archived communications.
The results make important reading for any senior manager involved in strategic
decisions about message management. It reveals differences in focus in the countries
surveyed, and illustrates the key role that a secure messaging infrastructure plays in
today’s financial organisations.
The following document provides important insights into the survey results.
This research was conducted by MORI on behalf of BT. One hundred and twelve
interviews were conducted within retail and wholesale banks, insurance companies,
investment managers and building societies. Interviews addressed a representative
sample of organisations in the UK, US, France, Germany and the Netherlands.
Banking 10 19 16 10 5 60
Insurance 8 5 4 8 4 29
Investment 2 2 1 2 0 7
management
All 4 0 0 0 0 4
Other 1 5 0 0 0 6
Don’t know/refused 5 0 0 0 1 6
TOTAL 30 31 21 20 10 112
Of the 112 respondents, 79 had responsibility within the IT side of the business,
and 33 worked in the areas of risk and compliance. MORI interviewed senior staff
with responsibility for IT, with job titles including CIO, systems director and IT
director. Managers responsible for operations and risk management were also
interviewed, and job titles in these areas included head of compliance and head
of risk.
Some questions were asked of both IT and risk groups, while others were specific
to one.
Within the 112, 89 respondents worked for organisations that had some level of
retail finance business, and several questions were asked just of this segment.
On certain questions, the responses do not add up exactly to 100 per cent due to
rounding or the fact that multiple responses were allowed.
Fieldwork
Fieldwork and data processing was carried out at the end of 2004. All interviews
were conducted by telephone using CATI (Computer Assisted Telephone
Interviewing). No financial incentives were offered to respondents, only a copy
of the final published findings.
• Of the external threats that financial organisations face, viruses are still seen
as the most potentially damaging, and are rated as a more significant issue
than spam, hacking and phishing. This is expected to still be the case in three
years’ time.
• Across the different countries surveyed, France is the most focused on security
concerns such as viruses and boundary protection, while the UK and US are most
concerned about archiving and compliance issues.
• Most organisations don’t know the total cost of ownership (TCO) of their current
messaging environment, which is probably a reflection of the complexity of
measuring an environment that spans all parts of the business. Success is likely
to be seen as the absence of failures and attacks that damage the business.
• The largest budget increases related to message management across all countries
except France will be in the areas of archiving and compliance. Although this will
include an element of security, storage and retrieval are the most crucial areas for
development.
• For the majority of retail finance respondents, email is already an important tool for
interacting with customers. They would like to use this communication channel
more if security and authentication concerns can be addressed.
Significant issues
Viruses are considered the most significant issue that organisations face in managing
their messaging environment, with 86 per cent of respondents saying this was a
significant issue. Interestingly, even phishing attacks, which have mainly targeted
the most prominent retail banks to date, were considered a significant issue by 60
per cent of respondents. This is probably due to rising press coverage of the threat,
and associated reputational risk issues.
“Identification and storage Looking at the geographic breakdown for ratings on the significance of these issues
of what we need to archive illustrates some interesting trends that are borne out in the results of subsequent
sections.
is a challenge. Most of what
we receive is garbage, and Ninety per cent of UK respondents rated archiving as a significant issue today.
we don’t want to have to This result can be associated with that country’s Financial Services Authority (FSA)
save everything.” and its regulatory agenda, together with the close linkages to US firms who have
already been forced to address this issue by the Securities and Exchange Commission
– UK
(SEC). This compares to the 60 per cent of Dutch and 67 per cent of French
respondents who thought this issue significant.
“Our main challenges are
to ensure availability and Q1a. How significant do you think each of the following issues is for your organisation now?
integrity of mails as well Very Fairly Not very Not at all Don’t know
Q1b. How do you see the significance of these issues changing for your organisation
in three years’ time?
Much more Little more Little less Much less Same Don’t know
Spam 39 16 8 6 26 4
Viruses 42 22 4 2 28 3
Hacking 32 21 5 3 33 5
Phishing 30 22 7 3 29 8
Archiving 33 23 11 4 29 1
Mailbox management 28 26 9 3 30 4
Base: All respondents (112) %
Q1c. How well prepared do you think your organisation is to meet the challenges
of mailbox management?
Biggest challenges
This was an open-ended question and not surprisingly, given the wide range
of internal and external threats that organisations face, security tops the list of
challenges for IT respondents, followed closely by archiving.
Again, archiving and security are the two areas with the largest geographical differences.
Only six per cent of French respondents considered archiving a challenge, as opposed to
41 per cent of UK and 50 per cent of Dutch respondents. On the flipside, 61 per cent of
those representing organisations in France thought security was challenging, compared
to 18 per cent of US and zero Dutch respondents.
In a separate question, 81 per cent of respondents agreed with the following statement:
The threat of ‘email anarchy’ and escalating costs is real for those companies who do
not address their message management correctly.
Q2. What are the biggest challenges for your organisation in message management?
Security 30%
Archiving 28%
Email 18%
“Archiving is an open question for us,
Accessibility/availability 5% we know what we want to do but the
Other 25% technical implementation will be a
Don’t know 5% challenge, i.e. how in detail we will
None 9% set everything up to satisfy strategy
Base: All IT respondents (79) % and cost-factors. We will also in the
near future harmonise the
messaging systems to prevent a cost
increase in the long-term. Again,
the real technical implementation
will be a challenge.”
– Germany
Q3. Are the following areas managed primarily at a global level (i.e. decisions are taken
strategically from head office and implemented consistently across the company network)
or at a local level (i.e decisions are taken locally or regionally on a case-by-case basis)?
Number of suppliers
Although this question didn’t specify the full scope of messaging areas, from general
email applications through to boundary protection and archiving and retrieval,
the majority of respondents, 51 per cent, admitted to using more than one supplier.
Almost one in five (19 per cent) use more than four. US-based organisations use
the most with 55 per cent having three or more suppliers. German organisations
use the least with 78 per cent having only one supplier.
Q4. How many suppliers do you use Q5. What would you see as the key benefits of having a single management point for your
for messaging solutions? messaging systems?
Control 4%
1 4 or more
2 Don’t know
3 Base: All IT respondents (79)
The majority of all respondents want to increase use of email for almost all the listed
purposes, but a significant number – 72 per cent – believe that security is the biggest
Increase a lot
deterrent to realising their ambitions. This highlights the need for a more secure
Increase a little
email infrastructure that is capable of integrating with other bank systems and Stay the same
delivering information to customers in a trustworthy manner. Decrease a little
Decrease a lot
Don’t know
Q7. Which of the following would you like to do more with customers by email?
Base: All retail respondents (89)
Day-to-day contact 55%
Statement provision 54%
Q8. Which, if any, of the following would you say are significant deterrents to
increased customer interaction by email?
Viruses 57%
Compliance 47%
Q9. Which of the following messaging processes or systems do you currently outsource?
Compliance 13%
The cost of administering the messaging infrastructure is most likely to increase in the
area of compliance, according to 65 per cent of all respondents. Particularly in the
Netherlands and US, costs are predicted to rise in this area, with 75 per cent and 73
per cent respectively predicting compliance will become more expensive. France (67
per cent) and the UK (65 per cent) also expect compliance costs to rise, with only
Germany lagging behind the average with 50 per cent.
In line with the security focus identified in earlier questions, the highest response for
costs increasing in relation to boundary protection came from those surveyed in
France, at 78 per cent, followed closely by the Netherlands with 75 per cent. In the UK,
only 29 per cent expected costs in this area to rise.
Expected costs and budget allocation normally align quite closely, although this isn’t
always the case, as sometimes costs can be borne out over several budget cycles. But
in this case, compliance cost increases and budget increases would look to be broadly
in alignment. This is particularly the case in those countries that have previously been
identified as being concerned about compliance issues. Forty one per cent of UK and
55 per cent of US respondents will be spending more on compliance, as opposed to
only 11 per cent of German respondents. France is the odd country out with only six
per cent planning to increase compliance budgets, despite 67 per cent believing the
cost of compliance is likely to rise.
In the area of secure messaging, many more French and Germans expected budget
rises than their UK, US and Dutch counterparts.
Incr. lot Incr. little Decr. little decr. lot Same Don’t know
Boundary protection 20 34 13 1 24 8
14%
Secure messaging 25 38 9 3 22 4
29%
Compliance 29 35 4 3 22 8
Mailbox management 18 34 13 4 30 1 19%
Base: All IT respondents (79) %
19%
19%
Given the cost cutting exercises that many banks have gone through in the past few
years, and the pressure on managers to demonstrate return on investment (ROI) and
total cost of ownership (TCO) for technology investment, the results for question 12 Compliance
might seem surprising. Boundary protection
Secure messaging
Seventy seven per cent of all respondents don’t know the TCO for their current Mailbox management
message management services, and this percentage was even higher – 89 per cent – Don’t know
in both France and Germany. This is possibly due to the complex nature of the Base: All IT respondents (79)
messaging infrastructure and the fact it touches every line of business and support
department. As well as specific messaging applications, the infrastructure also
requires associated investment in hardware and ongoing maintenance and support. Q12. Do you accurately know the total cost
of ownership (TCO) for your current
message management services?
In the majority of cases where TCO has not been calculated, it is likely that reliability
and invulnerability – the lack of attacks and failures – are seen as the measuring stick
for success or otherwise of any investment in the messaging infrastructure.
23%
77%
Yes
No
Base: All IT respondents (79)
manage our messaging IT governance includes activities such as providing clear audit trails and effective
environments better. archiving in order to meet organisation compliance and governance regulations.
There is governance Only 25 per cent of German respondents expect a significant increase in IT governance
around what we can costs, as opposed to a group average of 56 per cent. The UK came in highest here,
with 70 per cent. Costs rise in relation to what needs to be undertaken to help the
and can’t do, and this is organisation achieve compliance and best practice, so this indicates that there is still a
having a positive lot of work to be done.
impact in making us
more efficient.” The retrieval aspect of the archiving required by legislation is often ignored. But simply
having all relevant information and communications stored somewhere is not enough
– US to achieve compliance. Organisations need to be able to access the required
information in a timely fashion in response to requests, or risk a fine.
Forty-eight hours is the usual turnaround time for requests from the US Securities and
Exchange Commission (SEC), and while many other regulators haven’t specifically set
such timeframes, it is a useful benchmark for analysing an organisation’s archiving and
retrieval capabilities.
Q13. What impacts do you think compliance will have on your message infrastructure?
High impact 6%
Authentication 5%
More difficult 2%
Improve standards 2%
Pre-scanning for dangerous word combinations 1%
Little impact 1%
Other 14%
Don’t know/no answer 7%
Base: All IT respondents (79) %
Q15. If you received a request from a regulatory body to provide an audit trail going back three
years, how confident would you be of retrieving all of the necessary information within Very significant
48 hours? And how confident would you be about retrieving the necessary information Fairly significant
at all (i.e. without a tight deadline)? Not very significant
Not at all significant
I don’t expect them to increase
16% I expect them to decrease
21% 23%
4% Don’t know
40% Base: All respondents (112)
10% 13%
26%
21% 28%
The respondents to this survey are all working for sophisticated organisations
that should have a pretty good grasp of the issues that arise when managing
crucial messaging environments for large, often global, financial institutions.
So if even small numbers of respondents to this survey claim to be having
problems with boundary protection, secure messaging and compliance,
there is cause for concern.
The methods used for hacking and the propagation of viruses and spam will continue
to evolve and become more sophisticated. So organisations are faced with a moving
target. They recognise the need for constant vigilance to guard against the threats,
and have subsequently placed a priority on dealing with these issues.
Compliance, on the other hand, is a relatively static challenge. Regulations and best
practice do periodically change and evolve, but each time they do, organisations
have an easily identifiable set of objectives to achieve. The challenge is how to achieve
these objectives.
But archiving and compliance still seem to be a bit of a blind spot for many
organisations. Although the focus on security and boundary protection is strong,
the expected increase in compliance budgets and lack of confidence in meeting
regulatory requests for access to archived communications shows that this is an area
that requires more work and focus, at least in the short term. Clearly though, the
SEC is leading the way, driving change in the US at a faster rate than the other
countries surveyed.
www.btconsulting.com/financialservices/mori
© British Telecommunications plc 2005. Registered Office: 81 Newgate Street, London, EC1A 7AJ.
Registered in England No 1800000.